In 2011 the technology to provide for the safety and security of text messaging was not available, and at that time The Joint Commission (“TJC”) said it was not acceptable for practitioners to text orders for patient care and treatment. Then in May of 2016, TJC acknowledged all of the technology and data privacy and security issues it had in 2011 had been addressed. As published in The Joint Commission Perspectives, TJC revised its position and said physicians could text message when done in accordance with standards of practice, laws and regulations, and policies and practices “as long as the system met specific requirements .”

Since then, however, TJC got together with CMS and recently issued updated recommendations that include the following:

Providers should have policies prohibiting the use of unsecured text messaging of PHI.

CPOE (computerized provider order entry) should be the preferred method for submitting orders, which are directly entered into the electronic health record.

If a CPOE or written order is not available, a verbal order is acceptable, but only when impossible or impracticable to use CPOE or written orders.

The use of secure text orders is not permitted at this time.After further review the call on the field, as it were, has been overturned.

This turnaround came about after TJC and CMS discussed the issues with numerous stakeholders, including text messaging platform vendors and experts in EHRs. The identified issues that led to the recent decision included:

Increased burden on nurses to manually transcribe text orders into the EHR.

Verbal orders are preferred when CPOE not used, because they allow for real-time clarification and confirmation of the order as it is given by the practitioner.

Text messaging could cause delay in treatment where a clinical decision support (“CDS”) recommendation or alert is triggered during data entry, requiring the nurse to contact the practitioner for additional information.

To view the Dec. 22, 2016 full text article on the TJC website click here to download.

Once again news reports teach us that the time to have your robust data privacy and security program in place and continually monitored was yesterday!

On June 26 it was reported on DataBreaches.net that 655,000 patient records from three different healthcare databases were up for sale on the dark net. According to reports on the DeepDotWeb, at least one of the hacked entities was using SRS EHR v.9 patient management software. DeepDotWeb also reports that the hacker communicated with them over an encrypted Jabber conversation, and included images from the largest database hack from the hacker’s internal network. The seller/hacker asked the website to add a note to the breached companies: “Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Apparently it was shortly after that a fourth stolen database consisting of a reported 9.3 million individuals records from a health insurer went up for sale. The hacker taking credit for all refers to himself as “The Dark Overlord”. He claims to have contacted the entities to warn them about the vulnerabilities of their systems, and offered to fix or reveal the problems, for an undisclosed amount, which the healthcare organizations declined. In other words, the hacker offered the stolen data back to its owners for an extorted ransom. When the demand was not paid the hacker moved on to Plan B – sell the data on the dark web. The hacker offered the data from the four hacked healthcare organizations for prices ranging from $96,000 to $490,000 in bitcoin.

In the past week two of The Dark Overlord’s targets – Athens Orthopedic Clinic in Georgia and a Missouri group of clinics owned by Dr. Scott Van Ness – have been identified. The hacker accessed electronic medical records of both targets using the credentials of a third-party vendor. Personal information of current and former patients was breached, including names, addresses, social security numbers, dates of birth and telephone numbers, and in some cases diagnoses and partial medical history. Athens Orthopedic Clinic is advising its current and past patients to place a fraud alert on their credit reports with the major credit bureaus. This notice, however, is alleged to have materialized only after events of last weekend, when 500 patients records from Athens Orthopedic Clinic appeared on Pastebin, with a note to their CEO to “pay the [expletive omitted] up.”

Notably, according to reports on Databreaches.net, both entities have acknowledged that the attacker likely got access by an unnamed third party contractor (presumably the EMR vendor). Databreaches.net claims however that neither entity mentioned the ransom demands or that patient data was being dumped in public and was still up for sale on the dark net. Athens Orthopedic Clinic apparently did work to get the information removed from Pastebin, but the other group’s data was still posted as of July 16.

Several lessons- or at least questions- must be in the minds of any healthcare organization as they learn of these events. First is to question of whether your own data security is protected from such attacks, or are you vulnerable as well? How safe is your EMR system? How closely do you audit and monitor the third party vendors you contract with? Second, and something I think every organization should have at least a working framework to use for analysis in the event they find themselves the recipient of a post-breach ransom demand, is, what will your response be in the event you receive such a demand?

The Office of the National Coordinator for Health Information Technology (ONC) recently issued an updated Guide to Privacy and Security of Electronic Health Information. The guide is a resource that can help health care providers comply with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements and the HIPAA Privacy, Security, and Breach Notification Rules.

The guide provides a summary of key information in the following areas:

Understanding HIPAA rules;

Patients’ Health Information Rights;

Electronic Health Records, the HIPAA Security Rules, and Cybersecurity; and

The guide walks health care providers through the key components of each of these subject areas.

In addition, the guide provides tools for health care providers who want to implement a security management process or provide notification about a HIPAA breach. The guide has a sample seven-step approach that can be used to implement a security management process, including help addressing the security requirement contained in the Meaningful Use for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs. Finally, the guide provides information about what to do if there is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of protected health information. The information includes a risk assessment process for breaches, reporting breaches, and government investigation and enforcement of potential HIPAA violations.

Address

About Gordon & Rees

Gordon & Rees is a national litigation and business transactions firm with more than 800 attorneys across the United States. We deliver maximum value to our clients by combining the resources, size, and scale of a full-service national firm with the responsiveness, flexibility, and local knowledge of a regional firm.